Adobe Patches Critical ColdFusion, Campaign Classic Vulnerabilities

Adobe on Tuesday announced security updates for ColdFusion and Campaign Classic to resolve half a dozen maximum severity vulnerabilities.

The update for Adobe Campaign Classic resolves CVE-2026-48286 (CVSS score of 10/10), an incorrect authorization issue that could allow attackers to execute arbitrary code.

Patches for the flaw were included in Adobe Campaign Classic version 7.4.3 build 9397, which is now rolling out to Windows and Linux users.

Updates released for ColdFusion versions 2025 and 2023 address 11 security defects, including six that have a maximum severity rating of 10/10.

Tracked as CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, and CVE-2026-48283, the vulnerabilities could lead to arbitrary code execution, Adobe’s advisory reveals.

According to Adobe, these flaws are rooted in the unrestricted upload of files with dangerous types, improper input validation, and path traversal weaknesses.

Advertisement. Scroll to continue reading.

Two other critical-severity bugs resolved in ColdFusion, CVE-2026-48313 and CVE-2026-48315 (CVSS score of 9.3), are described as path traversal and improper input validation issues that could lead to arbitrary file system read and privilege escalation.

The update also resolves CVE-2026-48307 (CVSS score of 8.8), an XSS defect leading to arbitrary code execution, CVE-2026-48285 (CVSS score of 8.6), a SSRF flaw leading to security feature bypass, and CVE-2026-48314, a medium-severity path traversal leading to privilege escalation.

Fixes for all vulnerabilities were included in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.

Adobe says it is not aware of any public exploits targeting these security defects, but has assigned a priority rating of 1 to both security updates, which indicates that the flaws could end up being exploited in attacks. Users are advised to update their applications as soon as possible.

Related: Apple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari

Related: ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access

Related: BlueHammer Vulnerability Exploited in Ransomware Attacks

Related: GitLab Patches Code Execution, Information Disclosure Vulnerabilities